A refresh token is a special credential that can be used to obtain access tokens after an initial grant without again involving interaction with the end user. Refresh tokens allow clients to access a user’s resources even when the user does not have an active session with the client.
A client requests a refresh token at the same time that an access token is requested. When the access token becomes invalid or expires, the refresh token can be used to request another access token for the same set of scopes (or a subset of those scopes).
- The client uses the authorization code grant type to request an access token. It must request the
offline_accessscope and set
prompt=consent, or else a refresh token will not be issued.
- When the client needs to exchange a refresh token for a new access token, it uses the refresh token grant type. This is a server-to-server interaction; at this point, the end user is no longer involved.
Refresh tokens may also be granted using the password grant type. Note, however, that a user’s consent cannot be obtained when using this grant type, so it should be used to request a refresh token with care.
Refresh tokens are not JWTs and do not contain claims that may be inspected by clients.